Security Policy

Reporting a security issue to Fluxiom

Fluxiom engineers continuously monitor our network for indications of security vulnerabilities that may put customer data at risk. Should you have any reason to believe that an issue has gone undetected, we encourage you to report it immediately. This page presents the best way to report such problems to us, and introduces our response protocol.

Contacting Fluxiom

We invite users experiencing general issues with Fluxiom to contact our support department. If the problem you wish to report has a bearing on platform integrity, you can also reach our security team at security@fluxiom.com. Alternatively, you can telephone +1 650-284-7142 to record a voicemail message.

When reporting a security issue, please be as thorough as possible. Describe the steps you are taking, the results you are getting and the results you were expecting to get. Also, please provide us with detailed configuration information so that we can reproduce your testing environment as accurately as possible.

Note that you are not required to provide us with personal information. However, doing so will allow us to contact you back, keep you updated on our progress and give you credit for your contributions. You are therefore strongly encouraged to provide us with at least a name or pseudonym and an email address.

Full disclosure

We value the trust relationship we entertain with our clients above all. Should we have any reason to believe that a particular account has been compromised, we will liaise with its owners as promptly as possible. We will provide them with detailed information regarding the issue as we understand it, including its cause, duration, and impact. This rule knows no exception. If a breach were to affect an unknown number of accounts, or all of the accounts we host as a whole, we would additionally post information on our web site, blog or newsletter, depending on the nature and impact of the issue.

Responsible disclosure

While Fluxiom does not condone any cracking attempts, we will not prosecute users who report security issues to us, and provide us with the information and time necessary to fix the issue before bringing it to the public’s attention — a practice known as responsible disclosure. Users who opt to disclose security issues to us in a responsible manner will be kept posted about the progress of our analysis, and given due credit once the vulnerability is fixed.

As a general rule, Fluxiom welcomes all feedback from its users and the Internet community at large. This includes members of the security community who wish to share feedback or information with us.

Response procedure

Upon contacting us through our security reporting channels, you can expect to hear back within 48 business hours. Please note that we reply to each and every legitimate submission. If you have not received a reply from us within 48 business hours, feel free to re-submit the ticket or telephone us to ask for a status update.

Once a submission is acknowledged and received, it will be escalated to our engineers who will analyze the nature of the issue as it relates to the Fluxiom platform. If necessary, emergency patches will be published to the platform while the analysis continues in order to minimize the window of exposure.

We will keep submitters updated throughout the process, and let them know once the final fix has been published. The resolution of security issues takes precedence over the development of new features or the improvement of existing ones, and we will always strive to publish updates as promptly as possible.

Every security update brought to our platform triggers a full quality assurance review, to audit and improve both our code and our testing procedures.

Whitehats

A special thanks goes out to the following researchers, who have helped protect our users in the past.